[meta] Enable USER_RESTRICTED for content processes
Categories
(Core :: Security: Process Sandboxing, enhancement, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox134 | --- | fixed |
People
(Reporter: jimm, Assigned: bobowen)
References
(Blocks 1 open bug)
Details
(Keywords: meta, Whiteboard: sb+)
Attachments
(1 file)
Reporter | ||
Updated•7 years ago
|
Reporter | ||
Updated•7 years ago
|
Reporter | ||
Updated•7 years ago
|
Comment 1•3 years ago
|
||
Note: removing the network access is also important in the context that it removes any excuse to inject into the content process to inspect networking.
Updated•2 years ago
|
Assignee | ||
Updated•1 year ago
|
Assignee | ||
Updated•1 year ago
|
Comment 2•2 months ago
|
||
Hey Bob, do we have any timeline for shipping this? are there blockers or other concerns left that need to be addressed or can we start an experiment?
Assignee | ||
Comment 3•2 months ago
|
||
(In reply to Christian Holler (:decoder) from comment #2)
Hey Bob, do we have any timeline for shipping this? are there blockers or other concerns left that need to be addressed or can we start an experiment?
No blockers that I know of.
I've just started looking at the experiment documentation (for nimbus I think).
Not clear whether we need extra code or how much work setting up the experiment is, I've barely had any experience of it.
Assignee | ||
Comment 4•2 months ago
|
||
I've checked back through the list of things that disqualify win32k lockdown.
- Safe mode: We don't drop back to USER_LIMITED for this, it is a bit odd to have safe mode make security worse, but it probably makes sense initially. We should probably remove this check for win32k lockdown now.
- Env var: We already have an env var to disable the sandbox, I don't think we need one specifically for dropping back to USER_LIMITED.
- No e10s: As far as I can tell this can no longer be disabled in official builds when non-local connections are allowed and only then by env var. Obviously this is only a reason disabled reporting thing either way.
- Win10 Creators update or later: Not relevant for USER_RESTRICTED.
- Windows Exploit Protection mitigations: All the ones checked for in the win32k lockdown code don't seem to affect USER_RESTRICTED.
- Missing webgl oop: We have a check for this, but the win32k lockdown one includes a feature check ... we should probably add this.
- Missing remote decoders: We have a check for this.
Win32k lockdown also used to have check for missing webrender and non-native theme, but these were removed because it is not possible to disable either any more.
So, in summary our checks are probably fine, but adding safe mode and webgl oop feature check is probably a good idea.
Assignee | ||
Comment 5•1 month ago
|
||
For reference - experiment links:
Experiment Brief document
Nimbus experiment
Experiment QA Jira Ticket
(In reply to Bob Owen (:bobowen) from comment #5)
For reference - experiment links:
Experiment Brief document
Nimbus experiment
Experiment QA Jira Ticket
Note, only for Mozilla staff with special access (me not sadly)
Assignee | ||
Comment 7•17 days ago
|
||
Description
•